This article can also be found in the Premium Editorial Download "Information Security magazine: What's your biggest information security concern?."
Download it now to read this article plus other related content.
Powerful new security testing tools examine and evaluate your security products and investments to ensure you won't be stuck with a lemon.
The inline IPS appliance, firewall or VPN gateway you're considering spending tens of thousands of dollars deploying is supposed to be a Rolls-Royce, but it may be an Edsel. Meanwhile, the business people are pressing for quick implementations of new protocols and homegrown apps that haven't been properly scrubbed for security flaws.
Nervous? You should be. The process of scrubbing products and kicking system tires for bugs and security seems endless: You endure nerve-wracking testing and patching drills; vendors work out their bugs with each release, but the pressure is on you. Without production-grade security product testing, how can you be sure your networks will run safely and smoothly when the rubber hits the road?
To search for an answer, we test-drove the 10-ton wreckers of security testing tools for product evaluation; this new family of tools runs roughshod through systems, generating an onslaught of nasty traffic to find flaws before the bad guys do. We're not talking about simply reworked or repackaged vulnerability assessment scanners and exploitation engines, these are slick, powerful commercial packages that integrate and build on several ideas pioneered in free and open source software.
Information Security examined Karalon's Traffic IQ Pro, Ixia's Aptixia IxLoad, Spirent
|What's New Here?|
In the mid-1990s, we saw the release and rapid adoption of vulnerability assessment scanners such as SATAN, ISS's Internet Scanner and Nessus. Using a database of known vulnerabilities, these automated tools probe target systems for exploitable flaws.
Between 2002 and 2004, exploit frameworks, such as the free Metasploit project and the commercial Core IMPACT and Immunity CANVAS tools, came into vogue. They complement VA scanners, allowing security pros to exploit a target machine, gain remote control and use it for further compromise of other machines, and making them ideal for penetration testing.
So, are today's flaw-finding tools merely repackaged vulnerability scanners or exploitation frameworks? Or, does this new category supplant the previous categories? The answer is no on both counts: This new generation of products gives us the means to conduct automated testing under extreme conditions, possibly even finding zero-day flaws.
So, don't throw out your vulnerability scanner or exploitation framework, but don't think they can be repurposed to match these new powerhouses.
Each of these security tools generates attack traffic -- a lot of it -- using some combination of these methods:
Database of known exploits: Drawing on hundreds or thousands of previously discovered exploits in the wild, the tool shoots packets from one or more spoofed source addresses to one or more targets.
Transformation engine: Employing methods commonly employed by the bad guys, the tool can alter each exploit to evade detection mechanisms. For example, it can simply change the port associated with a given attack, such as launching an HTTP exploit at a port other than a TCP port (a surprising number of IPSes will allow such simple modifications). Other transformations, such as packet fragmentation (which slices packets into smaller chunks and creates overlapping fragments to fool detection signatures), go deeper, and different encoding schemes tweak the representation of various characters.
Protocol fuzzer: Instead of using a database of known exploits, this functional component generates its own packets by trying a series of unusual values within given protocol fields to see if the target application hiccups or crashes. While fuzzing typically generates an enormous set of permutations that may take days or weeks to work through, it offers a fine-grained method for putting a product through rigorous testing. For example, if a given field in a protocol header is eight bits long with a dozen different officially assigned values, a fuzzer might try all possible combinations of eight bits (256 possibilities), or launch packets with this field larger than eight bits long to see how the end system handles it. These attacks may crash the system or hog 100 percent of the CPU cycles, effectively creating a DoS condition. Fuzzing, given enough time, often finds serious flaws that could let an attacker crash or execute code on a target machine.
Legitimate traffic-load generator: This mechanism generates normal traffic for the target, typically at high speeds, to see if the target starts leaking normal or mixed-in attack traffic when under performance duress. Such tools are not just useful for performance testing; they also can shed light on security vulnerabilities.
Traffic editor: These tools allow a user to tweak known exploits or even create their own, increasing their flexibility in the hands of experienced testers.
Analysis tools: Finding security flaws and vulnerabilities
Traffic generation is only part of the equation. These security flaw-finders really shine in their measurement and analysis tools; they operate in inline mode and target mode. (See "How Attack Tools Work," at right.)
Inline mode is focused on checking the implementation and configuration of inline devices, such as IPSes, firewalls and VPN gateways. It employs a traffic sender and receiver, spewing packets through an inline device and providing detailed analysis and metrics to diagnose the flaws that allowed traffic through to the receiver.
Target mode shoots various combinations of traffic at a device and measures the impact in terms of process crashes, operating system failure and sluggish performance. Target-mode tests can help find subtle security flaws, like zero-day vulnerabilities, in the lab before solutions are fielded.
For target-mode analysis, some tools include monitoring software that analyzes the target system in real time for evidence of impairment, such as a process crash, CPU load increase or OS crash (such as the less frequent, but still problematic, Windows Blue Screen of Death).
Passive monitors wait for the target system to emit some indication of trouble, such as a syslog entry or SNMP trap. Active monitors interact with the target system, pinging it to make sure it's still functional, or logging in using Telnet or SSH periodically to see the status of the target process or system as each test condition is launched. Ideally, a security flaw-finder will include passive and active monitors.
Finally, reset/reboot functionality allows the tool to restart a process or reboot the entire system so testing can proceed unattended for hours, days or weeks if a process must be restarted or a crashed system rebooted.
Showroom Models: Choosing the best security product for you
We analyzed four tools in this nascent market to determine their capabilities and particular focus, rather than comparing them in a product "bakeoff." Each vendor approaches testing with a different set of emphases, allowing enterprises to choose which focus best suits their needs.
Karalon's Traffic IQ Pro is designed for testing inline products. Installed on a dual-homed Windows machine, Traffic IQ Pro configures one network interface to represent the traffic sender, and the other to implement the traffic receiver. It's the only purely software tool in the bunch. That's convenient from the perspective of not having to lug around a custom appliance to test. However, your hardware may not be able to generate the enormous traffic loads of which the appliance-based tools are capable.
The database of known exploits is quite comprehensive, including a multitude of HTTP exploits and traffic used to control backdoors and bots. It's easy to choose the right mix of attack traffic to test the policy settings on your inline device. Traffic IQ Pro allows manual editing, but not protocol fuzzing. Transformation options, such as fragmentation and various HTTP encoding schemes, are supported in a completely separate Karalon tool, Traffic Gateway.
Ixia's Aptixia IxLoad tests inline security products under extreme traffic loads. Like Karalon, IxLoad utilizes a sender/receiver architecture, but on a specialized appliance capable of generating multi-gigabit traffic loads of more than one million concurrent TCP sessions. Users can configure the tool to generate large amounts of legitimate traffic for various protocols, including HTTP, HTTPS, FTP, SMTP and DNS, from a user-definable number of source addresses aimed at multiple target addresses. IxLoad offers fine-grained control over traffic, bandwidth usage and concurrent sessions. One of the most impressive aspects of this complex tool is its statistical analysis, showing how the tested device performed under various loads.
IxLoad relies on several approaches to generate exploits rather than a set database, including standard Nessus attack traffic and DDoS traffic types, such as SYN floods. Users can incorporate their malicious Web pages that include some sort of browser exploit to verify that inline IPS tools protect clients from the browser exploit du jour. Finally, IxLoad lets users define malicious email attachments that can be shot through the device using SMTP.
Treating compliance headaches with security compliance tools
While organizations work to educate end users, regulatory compliance remains a chore for many.
|Standard Options: Fuzzers & Sploits|
|Click here for an overview of the most popular free network-based IPS tools (PDF).|
The tool does not allow traffic editing, but does let users import a packet-capture file to launch through a device under test. Therefore, a tester can use a packet-crafting tool like the free Nemesis or Hping2 (see "Standard Options: Fuzzers & Sploits"), or any other exploit tool to generate attack traffic. Then, using a sniffer, such as tcpdump, the tester can capture the attack traffic in a file, which can then be imported into IxLoad.
While protocol fuzzing and transformations are not supported, IxLoad does allow for the "impairment of protocols," which can drop/duplicate packets or apply simple fragmentation schemes.
Spirent Communications' ThreatEx is available on several appliances, with different performance characteristics to meet traffic load requirements. Like most tools in this genre, ThreatEx was designed to test inline devices, but can also be used for target-mode tests, given its active monitoring capability based on port scans and pings to measure whether a target service or system is still responsive.
ThreatEx sends various forms of malicious traffic, but you'll need to buy a separate tool to generate legitimate traffic, such as Spirent's Avalanche product, which is capable of generating more than two Gbps.
Protocol fuzzing is supported, with HTTP, VoIP and 802.11 wireless protocols, among others. Exploit transformation employs fragmentation and resequenced packets. Traffic editing requires another product, Threat Designer, that lets customers create or tweak existing protocols.
Mu Security's Mu-4000 Security Analyzer is the most comprehensive of the testing tools we analyzed, offering well-designed inline and target mode testing options. The Mu-4000 includes all of the functional components we've covered, with the exception of a legitimate traffic generator, which can be provided using a third-party tool such as the free tcpreplay connected in parallel.
The Mu-4000 is outstanding for its protocol fuzzing, target monitoring and user interface.
Showing characteristics of what one Mu Security executive calls a "fuzzer with a brain," the Mu-4000 can fuzz more than two dozen protocols (including HTTP, SSL, IPv4, IPv6 and SIP). Active and passive monitors are available to verify that the service is still functional. The active monitors, in particular, are well thought out, and let the Mu-4000 log in to the target machine using Telnet or SSH, run commands, and then use regular expressions against the command output to verify the target's status.
When monitors detect trouble, they record current and recently sent traffic that may have caused the condition, and then restart the service. Considering the tool's complexity, the GUI is impressive and easy to use, walking users through a series of point-and-click screens to fully configure a test.
Enterprise benefits: Inline test mode products
Vendors can use these tools to test their software before they ship products, reducing the need for embarrassing patches. But enterprises should consider bringing them in-house.
Products supporting inline test mode can be used to verify that firewalls and IPS deployments match corporate policy and configuration guidelines. You can check to make sure your firewalls are configured to allow only certain ports or enforce protocol standards. Or, you can audit a finely tuned signature base for IDS, IPS or other packet inspection engines. In fact, as organizations update their firewall, IPS and IDS configurations, and patch levels, this kind of testing tool can be used for change control, to make sure the updated systems meet security expectations, or to verify the effectiveness of defenses for compliance.
These attack tools are ideal for evaluating products under heavy traffic loads and allowing you to conduct intensive testing without costly and time-consuming manual testing. You can test, for example, whether a given IPS is capable of detecting common attacks as well as common transformations used by the bad guys.
Target-mode testing can tell you whether commercial, custom or freshly patched software will handle the stew of unusual packets it must face in a hostile environment.
As vendors release new implementations of TCP/IP stacks (such as those included in Windows Vista), or provide a constant stream of patches for their existing products, you can conduct thorough testing in your own labs rather than just depending on the vendor to find flaws in advance.
And remember, the bad guys already perform this kind of testing.
This was first published in December 2006